I feel like I’m constantly receiving emails warning me about a program’s security vulnerability, saying how I need to download a patch. With all these alerts, I often grow exasperated about the number of security patches that I’m supposed to apply to this or that. I’m just a writer with a single computer. I can’t imagine being an MSP owner trying to keep on top of dozens of client’s patching regimens.
Many smaller MSPs still manually apply security patches. While this method can be useful in accommodating and personalizing the service for each client, to keep costs down, the time involved can often negate savings. Applying patches manually can also result in delays and unsecured systems, because of the sheer number of patches involved. Therefore, you should include patch management as a part of your service package. It turns out, I’m not the only one that gets exhausted when thinking about patching.
Sean Convery, VP and GM of the Security Business Unit at ServiceNow, recently told Forbes, “Patching is a losing battle. There are so many open vulnerabilities – sometimes in the millions. People are barely staying ahead of the most urgent vulnerabilities.”
A ServiceNow survey of 3000 cybersecurity professionals last year showed that 57 percent of data breach victims were breached due to an unpatched known vulnerability. The Forbes article pointed out that enterprises typically have thousands of different pieces of software, ranging from mobile apps on phones, to legacy systems running in on-premises data centers, and everything in between. Not to mention, the whole phenomena of BYOD that brings its own set of vulnerabilities.
We aren’t suggesting MSPs should ditch patching, because they shouldn’t. However, you want to patch smart, which means automating as much as possible, prioritizing patches, and learning where the most critical vulnerabilities lie. The Forbes article points out that part of the problem is the “patching gap.” There is often a lull between the time a patch is released and when it is applied.
Mind the gap
SmarterMSP checked in with Alana Maurushat, Professor of Cybersecurity and Behavior at Western Sydney University, to find out why this gap exists. According to her, It’s not one reason, but several.
“Today, most major cyber-attacks are still due to unpatched bugs and vulnerabilities,” Maurushat explains. She points to two key reasons, the first being that the patch is not automated. Instead it relies on a user or account holder to run the software to patch the system. The second, less common reason, is that the user may not know how to properly run the software to patch the system in cases where it is not automated.
Another issue with patching is when products are developed, but the company then decides to stop supporting it, as they age out of the system.
Maurushat provides the example, “Many older Microsoft products remain unpatched. Additionally, a counterfeit product may not have patches. It is difficult in some parts of the world to know if you are purchasing a genuine counterfeit software product.”
Other delays can be caused by a company knowing there is a problem, but not being able to remedy it quickly.
“This is more common where the bug exists in computer code, typically not from major technology vendors. A technology vendor such as Apple may have rapid deployment of patches, whereas the manufacturer of a drone may not,” describes Maurushat. Moreover, there are corporate forces out of anyone’s control that may come into play.
“Patches have been known to be delayed when there is a major event happening with the corporation, such as the announcement to go from a privately held corporation to a publicly listed corporation. Patching can be perceived as a public acknowledgment of a security vulnerability or the existence of a bug in the product. Alternatively, the new patch may inadvertently affect other parts of a device or product,” explains Maurushat.
Other patching delays can come from wanting to save a few pennies, as Maurushat touches upon: “Some companies charge for advanced notice of patches. Many users of the product may elect not to pay for the advanced notice, causing a delay between when the patch is first available for a fee and when the patch becomes available for free.” However, this can end up being very costly if this delay results in a breach.
The patching perils of BYOD
Dr. Abubakar Bello, cybersecurity instructor at Western Sydney University, tells SmarterMSP, “BYOD complicates patching on so many levels. A key challenge is how organizations could maintain effective oversight of the different personal devices employees are using, and whether or not these devices are up to date on patches.”
Bello says that because BYOD devices are not generally owned by the enterprise, their security is largely out of their control, as well as the MSP’s.
“We could assume that during the registration/onboarding of BYOD devices, organizations can track and gain visibility of the devices as part of their device inventory and assessment in terms of patch updates. Still, the company may not be able to enforce any updates on the devices, since they do not own them,” Bello says. However, that doesn’t mean there aren’t some containment tools.
“In some cases, they can prevent some devices from accessing network resources if security requirements are not met. This is usually possible when the devices are not jailbroken or modded (by the employees, malicious insiders, or hackers), or the organization has heavily invested in effective Mobile Device Management and Mobile Application Management systems which are also regularly patched,” adds Bello.
Patching is clearly far from being an automatic guarantee, but our advice is to keep patching anyway. To achieve maximum protection while using patching, prioritize and follow these best practices for the most effective patching regimen.
Photo: Black Salmon / Shutterstock